b"           DOD INTERNET PRACTICES AND POLICIES\n\n\nReport No. D-2001-130                      May 31, 2001\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932 or visit the Inspector\n  General, DoD, Home Page at: www.dodig.osd.mil.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, D.C. 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronym\nOMB                   Office of Management and Budget\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-130                                                 May 31, 2001\n  (Project No. D2001AB-0065)\n\n                      DoD Internet Practices and Policies\n                               Executive Summary\n\nIntroduction. This report is in response to Section 646 of the Treasury and General\nGovernment Appropriations Act, 2001, as contained in Public Law 106-554\nConsolidated Appropriations Act. Section 646 requires the Inspector General to submit\na report to Congress that discloses DoD activity on collecting, creating, sharing, and\nreviewing personally identifiable information about individuals and their viewing habits\nat Government web sites.\n\nThe Office of Management and Budget and DoD issued policy on privacy and data\ncollection activities at Government web sites. That policy prohibits the use of web\ntechnology to collect identifying information to build profiles on individuals, and\nprohibits the use of persistent cookies unless certain conditions are met, including\nobtaining the personal approval of the head of the agency. That authority for DoD is\nthe Secretary of Defense. Examples of the information-gathering technology are\n\xe2\x80\x9cpersistent cookies,\xe2\x80\x9d \xe2\x80\x9cthird-party cookies,\xe2\x80\x9d and \xe2\x80\x9cweb bugs.\xe2\x80\x9d Persistent cookies are a\nshort string of text sent by a web server and stored on a user\xe2\x80\x99s computer until a future\nexpiration date. Third-party cookies are placed by a web site other than the site being\nvisited. Web bugs are almost invisible graphics included on a web site or in an e-mail\nmessage that are designed to monitor those who visit the web site. Policy also requires\nthe display of a privacy notice at principal web sites and locations where substantial\npersonal information is collected from visitors. A privacy notice should inform visitors\nthat the web site is public information and uses software programs to monitor for\nprohibited activities. In addition, the privacy statement should provide a point of\ncontact for the web site.\n\nObjectives. Our objective was to evaluate the DoD practices and policies on\npersonally identifiable information gathered on individuals who access DoD Internet\nweb sites.\n\nResults. DoD issued privacy and data collection policy on DoD public web sites and\ntook steps to validate compliance with Office of Management and Budget guidance on\nprivacy. However, for 400 DoD Internet web sites reviewed, we identified:\n \xe2\x80\xa2 128 persistent cookies, of which 38 were third-party commercial cookies, and\n    7 contained known web bugs.\n \xe2\x80\xa2 100 sites that did not contain a privacy notice.\n \xe2\x80\xa2 61 of 80 sites that requested voluntary personal information and did not contain a\n    privacy notice.\n\nFurther, DoD was unaware of how commercial companies store, protect, and market\ninformation collected from DoD web sites. As a result, DoD Components and\ncommercial companies supporting the web sites knowingly and unknowingly collected\ninformation on individuals without providing adequate disclosures in a privacy\nstatement and without the approval of the Secretary of Defense. We did not specifically\nidentify the type of information collected. Also, previous DoD assurances to the Office\nof Management and Budget that the requisite policies had been fully implemented were\npremature. For details of the audit results, see the Finding section of the report.\n\x0cManagement Actions. All 36 web masters whose sites contained collection devices\nagreed to remove the persistent cookies and web bugs, or remove the web site from the\nInternet. The web masters also agreed to verify that corrective actions were taken. In\naddition, on April 26, 2001, DoD updated the \xe2\x80\x9cDoD Web Site Administration Policies\nand Procedures,\xe2\x80\x9d December 7, 1998, to incorporate changes in the Office of\nManagement and Budget policy on privacy, data collection, and the use of cookies at\nFederal web sites. The April 26, 2001, policy update is in Appendix B.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications and Intelligence), in consultation with\nthe Defense Privacy Office, require the DoD Components to report on their actions to\ndistribute DoD privacy and data collection policy to their web masters, provide their\nweb masters with instructions to identify data collection devices, eliminate third-party\ncookies and other data collection devices, post privacy notices at major entry points to a\nsite and at sites where substantial personal information is collected from the public,\nhold web masters accountable for compliance with DoD and Office of Management and\nBudget data collection policy on a continuing basis. We also recommended that the\nAssistant Secretary of Defense (Command, Control, Communications and Intelligence)\nrevise the DoD Web Site Administration Policy to clearly show that the policy on the\nuse of persistent cookies applies to non-user-identifying information and user-\nidentifying information.\n\nManagement Comments. The Deputy Assistant Secretary of Defense (Security and\nInformation Operations) who responded for the Assistant Secretary of Defense\n(Command, Control, Communications and Intelligence) partially concurred with the\nrecommendations and provided a completion date of August 31, 2001. He agreed that\nDoD used persistent cookies but that our report did not necessarily support a conclusion\nthat the persistent cookies were being used to collect user-identifying information. The\nDirector, Defense Privacy Office, stated that the report did not address whether the\ninformation collected was user-identifying data and whether the data were used in a\nprohibited manner or used to build profiles or track visitors\xe2\x80\x99 activities. The Director\nstated that the report assumed the web sites visited were principal web sites, known\nmajor entry points, or sites where substantial personal information is collected and\ntherefore required privacy statements. The Deputy Assistant Secretary and the Director\nsuggested changes to the report to consider recent policy changes and other points. The\nFinding section of the report contains a discussion of management comments. The\ncomplete text of management comments is in the Management Comments section.\n\nAudit Response. Management comments to the recommendations were responsive.\nWe acknowledge that our review did not specifically identify what type of information\nwas collected. However, our review focused on whether collection devices, such as\npersistent cookies, existed at the web sites. As stated in the Office of Management and\nBudget policy, even if persistent cookies did not themselves contain personally\nidentifiable information, such cookies can often be linked to a person after the fact,\neven where that was not the original intent of the web master. The Office of\nManagement and Budget policy clearly applies to all uses of persistent cookies because\nby their very nature those cookies collect some type of information based on visits\nmade by individuals to a web site. We used the Internet web sites listed in the\nGovernment Information Locator Service because it is the single entry point where the\npublic can locate, access, and obtain DoD information. We made changes to the report\nbased on the Director and Deputy Assistant Secretary comments. We revised and\nadded recommendations. Accordingly, we request additional management comments\nby July 2, 2001.\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary\n\nIntroduction\n     Background                                                         1\n     Objectives                                                         2\n\nFinding\n     DoD Internet Access, Practices, and Policies                      3\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                                         13\n         Prior Audit Coverage                                          14\n     B. Revision to DoD Web Site Administration Policy                 15\n     C. Report Distribution                                            21\n\nManagement Comments\n     Office of the Assistant Secretary of Defense (Command, Control,\n        Communications and Intelligence)                               23\n     Defense Privacy Office                                            26\n\x0cBackground\n    Section 646 of the Treasury and General Government Appropriations Act\n    2001. As contained in Public Law 106-554, the Consolidated Appropriations\n    Act requires the Inspector General of each Government Department to submit a\n    report to Congress that discloses the agency\xe2\x80\x99s activity on collecting or reviewing\n    singular data, or the creation of aggregate lists that include personally\n    identifying information, about individuals who access the Department\xe2\x80\x99s Internet\n    web sites. In addition, the Inspectors General must report agency activities\n    relating to agreements with third parties, including other Government agencies,\n    to collect, review, and obtain aggregate lists or singular data of personally\n    identifiable information relating to an individual\xe2\x80\x99s access or viewing habits.\n\n    Internet Web Site. Congressional officials defined an Internet web site as an\n    agency\xe2\x80\x99s principal web site, as well as any other major entry point that includes\n    home pages of agency components and web sites that receive a high number of\n    visits, and any web site where substantial amounts of personal information are\n    collected or posted. Involuntary information can be collected through the use of\n    cookies and web bugs.\n\n            Cookies. Cookies are short strings of text sent by a web server and\n    stored on a user\xe2\x80\x99s system so it can later be read back from that system. Using\n    cookies is a convenient technique for having the browser remember some\n    specific information. Two types of cookies are used: domain and third-party.\n    Domain cookies are placed by the visited web site. Third-party cookies are\n    placed by a web site other than the site being visited. Cookies may also be\n    either session or persistent cookies. Session cookies are short-lived and expire\n    once the user exits the browser, whereas persistent cookies have specific\n    expiration dates and remain on the client\xe2\x80\x99s computer until the specified\n    expiration date. Persistent cookies can be used to track users\xe2\x80\x99 browsing\n    behavior by identifying user\xe2\x80\x99s Internet web addresses.\n\n            Web Bug. A web bug is an invisible graphic included on a web site or\n    in an e-mail message designed to monitor who visits the web site or reads e-mail\n    messages. Web bugs may be used to add information to a personal profile of\n    what sites a person is visiting. Other uses of web bugs include counting the\n    number of people that visit a particular site, and gathering statistics about\n    browser usage at different places on the Internet. Web bugs are not readily\n    visible because they are very small.\n\n    Office of Management and Budget Privacy Policy. The Office of\n    Management and Budget (OMB) Memorandum M99-18, \xe2\x80\x9cPrivacy Policies on\n    Federal Web Sites,\xe2\x80\x9d dated June 2, 1999, directed agencies to post clear privacy\n    policies on world wide web sites, at other known major entry points to the site,\n    and on any web page where substantial personal information is collected from\n    the public. The policy states that, if an agency collects information, it must\n    disclose the information collected and why and how it will be used.\n\n    OMB Memorandum M-00-13, \xe2\x80\x9cPrivacy Policies and Data Collection on Federal\n    Web Sites,\xe2\x80\x9d dated June 22, 2000, reaffirmed the June 1999 memorandum and\n\n\n                                        1\n\x0c     prohibits the use of cookies unless there is a compelling need to collect the data,\n     a conspicuous notice is given by the collection activity, appropriate and publicly\n     disclosed privacy safeguards are implemented for handling the data, and the\n     collection is personally approved by the head of the agency. In the\n     memorandum, OMB requested that all Federal agencies, as part of the agency\n     budget submission, describe their privacy policy and steps to ensure compliance\n     with the OMB guidance. On September 5, 2000, OMB issued clarifying\n     guidance stating that the June 2000 guidance would apply to persistent cookies\n     only.\n\n     DoD Privacy Guidance. Two years before OMB issued its policy on posting\n     privacy notices, DoD had promulgated policies in that area in \xe2\x80\x9cWeb Site\n     Administration,\xe2\x80\x9d December 7, 1998. Three years before OMB issued its policy\n     on cookies, DoD established policies on collection of user-identifying\n     information and the use of cookies in \xe2\x80\x9cEstablishing and Maintaining a Publicly\n     Accessible Department of Defense Web Information Service,\xe2\x80\x9d July 18, 1997.\n     Upon receipt of OMB Memorandum M-00-13, which reaffirmed its policy on\n     privacy notices and established its cookie policy, DoD again issued privacy and\n     data collection policy on DoD public web sites and took steps to validate\n     compliance with OMB guidance on privacy.\n\n     DoD Memorandum, \xe2\x80\x9cPrivacy Policies and Data Collection on DoD Public Web\n     Sites,\xe2\x80\x9d July 13, 2000, requires the display of a privacy notice at principal web\n     sites and at locations where substantial personal information is collected from\n     visitors. The policy does not permit the use of web technology to collect\n     identifying information to build profiles on individuals. Also prohibited is the\n     use of persistent cookies without notification in the privacy statement of what is\n     being collected and how it would be used. In addition, the use of a persistent\n     cookie must be personally approved by the Secretary of Defense.\n\n     On April 26, 2001, DoD updated the \xe2\x80\x9cDoD Web Site Administration Policies\n     and Procedures,\xe2\x80\x9d December 7, 1998, to incorporate changes in the Office of\n     Management and Budget policy on privacy, data collection, and the use of\n     cookies on Federal web sites. The changes prohibited the use of persistent\n     cookies unless specific conditions were met and required the personal approval\n     of the Secretary of Defense. The changes in part restated the July 13, 2000,\n     memorandum on privacy. The changes are included in Appendix B.\n\nObjectives\n     Our objective was to evaluate the DoD practices and policies on personally\n     identifiable information gathered on individuals who access DoD Internet web\n     sites. See Appendix A for a discussion of the audit scope and methodology and\n     prior audit coverage.\n\n\n\n\n                                          2\n\x0c            DoD Internet Access, Practices, and\n               Policies\n            DoD issued privacy and data collection policy on DoD public web sites\n            and took steps to validate compliance with OMB guidance on privacy.\n            However, for 400 DoD Internet web sites reviewed, we identified:\n\n            \xe2\x80\xa2   128 persistent cookies, of which 38 were third-party commercial\n                cookies, and 7 contained known web bugs.\n\n            \xe2\x80\xa2   100 sites that did not contain a privacy notice.\n\n            \xe2\x80\xa2   61 sites that requested voluntary personal information and did not\n                contain a privacy notice.\n\n            Further, DoD was unaware of how commercial companies store, protect,\n            and market information collected from DoD web sites. Noncompliance\n            with DoD and OMB policies occurred because the Services and DoD\n            Components did not adequately disseminate guidance on privacy\n            disclosure and on the use of collection devices to the web masters of\n            DoD Internet sites, did not adequately educate the web masters on\n            identifying collection devices, and did not have a process to verify\n            compliance with DoD and OMB policy. As a result, DoD and\n            commercial companies supporting the web sites knowingly and\n            unknowingly collected information on individuals without providing\n            adequate disclosures in a privacy statement and without the approval of\n            the Secretary of Defense. We did not specifically identify the type of\n            information collected.\n\nDoD Implementation and Verification of Privacy Policies\n     Section 552a of the Privacy Act of 1974. Section 552a, title 5, United States\n     Code of the Privacy Act of 1974 (the Act) states that individuals have a right to\n     access agency records containing information about themselves and the right to\n     request amendments to the records that are inaccurate, irrelevant, untimely, or\n     incomplete. The Act applies only to Federal records that are retrieved by name\n     or other personal identifier. The Act requires agencies to inform an individual\n     of the authority for collecting, whether disclosure by the individual is voluntary\n     or mandatory, the principal purposes for which the information will be used, the\n     routine uses that may be made of the information, and the consequences of not\n     providing the information. In addition, agencies must establish appropriate\n     administrative, technical, and physical safeguards to ensure the security and\n     confidentiality of the records\n\n     DoD Privacy Guidance. DoD Memorandum, \xe2\x80\x9cPrivacy Policies and Data\n     Collection on DoD Public Web Sites,\xe2\x80\x9d July 13, 2000, requires the display of a\n     privacy notice at principal web sites and where substantial personal information\n     is collected from visitors. Privacy notices should inform visitors that the web\n     site is public information, the Government collects information for statistical\n     purposes, and it uses software programs to monitor for prohibited activities. In\n\n                                          3\n\x0c          addition, the privacy statement should provide a point of contact for the web\n          site. The policy guidance prohibits the use of web technology to collect user-\n          identifying information to build profiles on individuals, and prohibits the use of\n          persistent cookies. It permits the use of web technology to obtain non-user-\n          identifying information only if visitors are advised in the privacy statement of\n          what is being collected, and why and how it would be used. In addition, the use\n          of a persistent cookie must be personally approved by the Secretary of Defense.\n          The memorandum requires Components to review their privacy practices and\n          take corrective action to comply with policy.\n\n          Verification of OMB Guidance. To verify compliance with the July 13, 2000,\n          DoD Memorandum, the Director, Administration and Management, Office of\n          the Secretary of Defense, contacted DoD agencies, including the Services, to\n          request that they report the status of their web sites\xe2\x80\x99 compliance with DoD\n          policy and OMB guidance by October 2000. Twenty responded in writing that\n          they had taken steps to ensure that their sites conformed to guidance. On\n          December 14, 2000, the Office of the Assistant Secretary of Defense\n          (Command, Control, Communications and Intelligence) reported to OMB that\n          DoD Components\xe2\x80\x99 web sites complied with privacy guidance or, if not, that\n          corrective actions were being taken to bring them into compliance.\n\n          DoD issued policy, obtained written confirmation of compliance, and reported\n          to OMB that DoD Components complied with OMB guidelines on privacy\n          policies for DoD Internet web sites.\nSample of DoD Internet Web Sites\n          Using the January 10, 2001, listing of DoD Internet web sites included in the\n          Government Information Locator Service, we selected 400 DoD Internet web\n          sites from a universe of 2,608 registered sites to review for the presence of\n          persistent cookies, third-party commercial cookies, and web bugs; for privacy\n          statements at Internet sites and at information collection locations; and for\n          measures taken to safeguard the information collected. The Government\n          Information Locator Service is the single entry point where the public can\n          locate, access, and obtain DoD information. The universe and sample by\n          Component are shown in Table 1.\n\n          Table 1. Universe and Sample of DoD Internet Sites Registered with the\n          Government Information Locator Service\n                               Component             Universe            Sample\n                               Army                    414                 90\n                               Navy                  1,441                110\n                               Air Force               416                 90\n                               Marines                 172                 60\n                               Other1                  165                 50\n                                 Total               2,608                400\n_________________________________\n1\nOthers include the Office of the Secretary of Defense, Defense agencies, the Unified Commands, and\nDoD Field Activities\n\n\n\n\n                                                 4\n\x0cInvoluntary Collection of Personal Information\n     Collection Devices. At the 400 DoD web sites sampled, we identified\n     128 persistent cookies, including 38 placed by a commercial web site and\n     7 containing known web bugs. Table 2 displays by Service the number of web\n     sites sampled, the number of persistent cookies, third-party cookies, and known\n     web bugs.\n\n       Table 2. Sample of DoD Web Sites and Numbers of Sites That Contain\n        Persistent Cookies, Third-Party Commercial Cookies, and Web Bugs\n\n                                                      Third-Party\n                                        Persistent    Commercial\n         Component          Sample       Cookies       Cookies         Web Bugs\n         Army                 90           26              9              0\n         Navy                110            40            11              2\n         Air Force            90           29              6              2\n         Marine Corps         60           18              8              3\n         Other                50           15              4              0\n          Total              400           128            38              7\n\n     Persistent and Third-Party Cookies. We performed tests using the Microsoft\n     Internet Explorer to identify persistent cookies. Where a persistent cookie\n     appeared, we made a second visit to the site using a different computer at a\n     different time to confirm the finding. During both visits, we documented the\n     time and the date to validate the cookie. We identified 128 persistent cookies of\n     which 38 cookies, or 30 percent, were third-party cookies placed by commercial\n     web sites outside the DoD and Government community. Although we identified\n     persistent cookies, DoD officials stated that the Secretary of Defense had not\n     granted permission for any of the Services or DoD agencies to use them on DoD\n     Internet web sites.\n\n     Web Bugs. At the 400 sites visited, we used a software program \xe2\x80\x9cBugnosis\n     Beta 5,\xe2\x80\x9d provided by the Privacy Foundation, University of Denver, to profile\n     DoD web sites for web bugs. A rating of 1 or more indicates that a web bug\n     was probably in use at the site. Using the software program, we profiled\n     30 potential web bugs. After an analysis of the web site\xe2\x80\x99s software code, only\n     7 were determined to be known web bugs. However, based on the information\n     available at the web site, we could not determine whether the 7 web bugs\n     collected personal information. Two of the 7 had a DoD Internet web address\n     with the suffix of \xe2\x80\x9c.MIL.\xe2\x80\x9d The other 5 sites were commercial web addresses.\n\n     Web Masters and Involuntary Collection of Personal Information. We\n     visited 36 web masters who managed the sites where we found 36 cookies and\n     3 known web bugs. A web master manages the web site and is responsible for\n     the editorial content, quality, and style of the site. Of the 36 cookies, 14 were\n     third-party cookies set by a commercial company. We asked the web masters\n     whether they were aware of the cookie or web bug and whether they were aware\n     of the DoD policy on these collection devices. Of the 36 webmasters, 10 were\n\n\n\n\n                                         5\n\x0caware of the collection device at those sites. Table 3 shows the number of web\nmasters by Component who were aware of the cookie or web bug and their\nknowledge of the DoD policy.\n\n           Table 3. Web Masters Aware of the Collection Device\n                                            Aware Of DoD Policy\n          Component          Number           Yes            No\n          Army                 3               1              2\n          Navy                 1               0              1\n          Air Force            3               1              2\n          Marine Corps         2               0              2\n          Other                1               1              0\n           Total              10               3              7\n\nSeven web masters were aware of the collection devices but were unaware of\nDoD policy. As a result, they did not review their web site for compliance.\nThree web masters who were aware of the collection device and DoD policy\ntook no action to remove the device or ask permission to retain it. The web\nmaster for an Army site stated that he used a commercial service to locate his\nweb site while awaiting a military address. The commercial service set a\npersistent cookie on visitors. The web master attempted to remove the cookie\nbut could not because the site was controlled by a commercial company. After\nour visit, the web master agreed to conform his web site to DoD policy. An Air\nForce web master stated that a persistent cookie was placed by another Air\nForce base using a software program called \xe2\x80\x9cweb trends,\xe2\x80\x9d which provides web\nmasters with statistical information on web site visitors. Since our visit, web\nsite officials removed the persistent cookie from the program. The web master\nfor a Defense Logistics Agency site stated that he obtained permission to use a\npersistent cookie; however, the Defense Logistics Agency granted permission to\nuse a session cookie only. Officials agreed to remove the persistent cookie.\nOf 36 web masters, 26 were unaware of the collection device at their sites.\nTable 4 shows the number of web masters by Component who were unaware of\nthe cookie or web bug and their knowledge of the DoD policy.\n\n          Table 4. Web Masters Unaware of the Collection Device\n                                               Aware Of DoD Policy\n         Component          Number               Yes           No\n         Army                 5                   4             1\n         Navy                 9                   5             4\n         Air Force            6                   2             4\n         Marine Corps         2                   0             2\n         Other                4                   3             1\n          Total              26                  14           12\n\nFourteen web masters were unaware of a cookie or web bug on their site but\nwere aware of the policy; however, they did not take steps to ensure that their\nweb site was compliant. The other 12 web masters were not aware of the\n\n\n                                   6\n\x0c    cookie or web bug and were unaware of the policy. Consequently, they took no\n    action. Web masters complained that they were not provided guidance on the\n    DoD policy or instructions to identify persistent cookies or web bugs.\n\n    All of the web masters visited agreed to remove the persistent cookie, including\n    commercial third-party cookies, web bug, or remove the web site from the\n    Internet. The web masters agreed to perform reviews to verify that corrective\n    actions have been taken.\n    Without knowing how to identify the persistent cookie and the DoD policy on\n    collection devices, web masters cannot be assured that their sites are in\n    compliance with DoD and OMB policy. The DoD Components must distribute\n    DoD policy to each web master, provide instructions to identify collection\n    devices, require them to eliminate cookies or third-party cookies that are not\n    approved, and verify that web masters have complied with policy.\n\nPrivacy Statements At Web Sites and Voluntary Collection\n  Locations\n    Privacy Statement. Of the 400 DoD Internet web sites that we sampled, we\n    identified 100 that did not contain a privacy statement. Of those 100 web sites,\n    34 contained a security statement instead of a privacy statement stating that it\n    was a DoD site and that DoD would monitor visitors to ensure authorized use\n    only. For the 34 sites that placed persistent cookies on visitors, the security\n    notice did not disclose what information was collected, why it was collected,\n    and how it would be used.\n\n    In addition, 80 of the 400 web sites gathered voluntary personal information\n    from visiting guests. For example, information solicited were names, e-mail\n    addresses, office addresses, and telephone numbers. Of these 80 collection\n    sites, 61, or 76 percent, did not contain a required privacy statement at the\n    collection site as required by DoD policy. Table 5 displays the sample of web\n    sites by Component, the number of web sites without a privacy statement, the\n    number that collected personal information, and the number without a privacy\n    statement at the personal collection location.\n\n\n\n\n                                         7\n\x0c Table 5. Sample by DoD Component of Government Internet Web Sites,\n    Without a Privacy Statement at the Web Site and at the Personal\n                          Collection Location\n\n                                Missing       Web Sites that\n                                Privacy          Collect         Missing Privacy\n                              Statement at     Voluntary           Statement at\n   Component        Sample     Web Site        Information      Collection Location\n\n   Army               90          19                18                   14\n   Navy              110          28                19                   12\n   Air Force          90          26                22                   18\n   Marine Corps       60          16                10                    9\n   Other              50          11                11                    8\n    Total            400         100                80                   61\n\nWe visited 32 web masters who did not place a privacy statement at the web site\nand the data collection site, or who placed a security statement at the web site\nwhile employing cookies or web bugs. We asked them if they were aware of\nthe missing privacy statement and aware of the DoD policy. Six of the 32 web\nmasters indicated they were aware that their web site did not contain a privacy\nstatement; however, they also stated that they had not been informed of the DoD\npolicy to include a privacy statement on the web site. All agreed to take\ncorrective action and include the necessary privacy notification.\n\nTwenty three of 32 web masters stated that they were unaware of the missing\nprivacy statement. We asked them whether they were aware of the DoD policy.\nTen of the 23 web masters were aware of the DoD policy but did not review\ntheir site to ensure compliance because they thought their web sites already met\nthe policy requirements. The other 13 were unaware of the policy and the\nmissing statement and consequently took no action. Table 6 is a summary of the\n23 web masters\xe2\x80\x99 knowledge of DoD policy on privacy statements.\n\n          Table 6. Web Masters Knowledge of Privacy Statements\n\n                                        Aware Of DoD Policy\n     Component          Number            Yes            No\n     Army                 4                2              2\n     Navy                 4                1              3\n     Air Force            6                3              3\n     Marine Corps         4                0              4\n     Other                5                4              1\n      Total              23               10            13\n\nThe remaining three web masters visited had web sites that did not contain a\nprivacy statement at the entry page and at the data collection location. Officials\nstated that they were aware of the disclosure requirement at the entry page but\nnot at the collection site. None of the three web masters made their web site\ncompliant until our visit.\n\n\n\n                                    8\n\x0c    The Services and DoD agencies did not distribute the policy to all of the web\n    masters. The web masters should be aware of the DoD policy on privacy\n    statements and disclosure requirements. They must also review their web sites\n    and collection locations for the presence of a privacy statement after they\n    establish or revise the web site or after DoD issues new policy. In addition,\n    DoD must verify compliance.\n\nSecurity Over Information Collected\n    Security of Voluntary Information. We visited 17 web masters to review the\n    security of the voluntary personal information collected. We discussed data\n    access, computer logs, corrections to inaccurate information, and third-party\n    collection activities. We also asked whether visitors could request correction to\n    data submitted, whether information collected was combined with other personal\n    information and whether information was sold or given away.\n\n    The web masters responded that they limited access to locations that stored\n    personal information. All except one had procedures to limit access to locations\n    that stored personal information, to protect voluntary information from\n    unauthorized access through the use of passwords, and to delete information\n    from storage locations when no long required. A Navy web master was\n    uncertain how the voluntary information collected was stored and protected\n    because the voluntary information was transferred to a centralized server outside\n    his control; however, he agreed to determine what the procedures were for\n    storage and protection. Web masters permitted corrections to voluntary\n    information collected from visitors if inaccuracies existed. All stated that they\n    had not sold or combined the information with other personal data to maintain\n    or build profiles on visitors.\n\n    Although controls over the access to and use of voluntary information were\n    adequate to ensure that the privacy of individuals was protected at DoD-\n    controlled collection storage locations, no controls were present at 3 of 17 sites\n    where web masters allowed third parties to use persistent cookies to collect\n    involuntary information. At those sites, the web masters did not know what\n    information the third party collected, how it was stored, and had little assurance\n    that the information was protected and had not been sold or given away.\n\nConclusion\n    DoD privacy guidance requires the display of a privacy notice on principal web\n    sites and at locations where substantial personal information from visitors is\n    collected. It prohibits using web technology to collect identifying information;\n    build profiles on individuals; and use persistent cookies except when visitors are\n    advised of what is being collected, why, and how it will be used. The Secretary\n    of Defense must approve the use of persistent cookies.\n\n    Although the DoD guidance was adequate, collecting and obtaining information\n    on web site visitors by collection devices was present at 128 sites, or 32 percent\n    of the sites sampled. The continued lack of privacy statements at web sites and\n    collection locations and the use of third-party cookies indicated that previous\n    DoD feedback to OMB that requisite policies had been fully implemented was\n\n                                         9\n\x0c    premature. Also, DoD has inadequate assurance that the involuntary collection\n    of personal information by commercial companies at DoD web sites is\n    safeguarded and not sold or given away after it is collected.\n\n    All DoD web masters must be made aware of the DoD and OMB policy that\n    ensures the rights of individuals who visit DoD web sites will be protected.\n    DoD web masters must be held accountable for compliance.\n\n    All 36 web masters visited whose sites contained collection devices agreed to\n    remove the persistent cookies, including commercial third-party cookies, and\n    web bugs, or remove the web site from the Internet. The web masters also\n    agreed to verify that corrective actions were taken.\n\nManagement Comments on the Finding and Audit Response\n    Management Comments. The Deputy Assistant Secretary of Defense (Security\n    and Information Operations) who responded for the Assistant Secretary of\n    Defense (Command, Control, Communications and Intelligence), stated that the\n    Heads of Components are responsible for compliance to policy, and they\n    generally delegate it to the sponsoring organization\xe2\x80\x99s commander and not to the\n    web masters. He agreed that DoD used persistent cookies but that our report\n    did not necessarily support a conclusion that the persistent cookies were being\n    used to collect user-identifying information. He also stated that the updated\n    policy following issuance of the OMB policy now prohibits all uses of persistent\n    cookies without the specific waiver.\n\n    Although not required to comment, the Director, Defense Privacy Office, stated\n    that he believed the congressional tasking was designed to determine whether\n    Federal agencies were knowingly using web technology to collect information\n    on visitors to Government public web sites and using it in a prohibited manner.\n    He stated that the report did not address this aspect. He commented that the\n    report stated that most web masters were unaware of the collection activity,\n    which he believed constitutes an act of nonfeasance and not malfeasance. The\n    Director also commented that the report provided no indication that those who\n    were aware of the collection activity used the information to build profiles or\n    track visitors, and that the report should clarify those results in its conclusion.\n    He further stated that it was assumed that the web sites visited constituted a\n    principal web site, a known major entry point, or a site where substantial\n    personal information was collected. Many users bypass the major entry points\n    where the privacy and security notices are posted. However, a visitor can\n    review the privacy notice of the web site by visiting the major entry point where\n    those notices are posted. The Director recommended that the report be revised\n    to recognize recent policy changes regarding the use of persistent cookies and\n    voluntary collection of information.\n\n    Audit Response. The June 22, 2000, OMB memorandum stated that because\n    of the unique laws and traditions about Government access to citizens\xe2\x80\x99 personal\n    information, the presumption should be that \xe2\x80\x9ccookies\xe2\x80\x9d will not be used at\n    Federal web sites. The memorandum further stated that particular privacy\n    concerns may be raised when use of web technology (such as persistent cookies)\n    can track the activities of users over time and across different web sites.\n\n                                        10\n\x0cFurther, these concerns are especially great where individuals who have come to\nGovernment web sites do not have clear and conspicuous notice of any such\ntracking activities. The September 5, 2000, letter from OMB further clarified\nthe June 2000 memorandum and stated that persistent cookies should not be used\nunless four conditions were met which included the approval by the head of the\nagency. Our review did not specifically identify what was collected. However,\nour review focused on whether collection devices, such as persistent cookies,\nexisted at the web sites. As stated in the Office of Management and Budget\nSeptember 5, 2000, letter, even if persistent cookies did not themselves contain\npersonally identifiable information, such cookies can often be linked to a person\nafter the fact, even where that was not the original intent of the web master.\nThe Office of Management and Budget policy clearly applies to all uses of\npersistent cookies because by their very nature those cookies collect some type\nof information based on visits made by individuals to a web site. Also, the\nDeputy Assistant Secretary\xe2\x80\x99s response indicated that DoD policy had been\nupdated following the issuance of OMB policy, and prohibited all uses of\npersistent cookies without a specific waiver. However, the April 26, 2001,\npolicy update placed the policy on the use of persistent cookies under\nsection 12.2.3, \xe2\x80\x9cAutomated Collection of User-Identifying Information on\nPublicly Accessible Web Sites.\xe2\x80\x9d By doing so, the policy on the use of persistent\ncookies appears to apply only to user-identifying information. The OMB policy\nclearly intended the policy on the use of persistent cookies to apply to both user-\nidentifying and non-user-identifying information. Management comments were\ngenerally consistent with OMB policy; however, the April 26, 2001, policy\nupdate was not. Accordingly, we have added a recommendation to require DoD\nto correct its policy on the use of persistent cookies.\n\nWith respect to the Director\xe2\x80\x99s comments on the Internet web sites reviewed, we\nselected a sample of DoD web sites listed in the Government Information and\nLocator Service, which is the single entry point where the public can locate,\naccess, and obtain DoD information.\n\nWe made changes to the report based on other comments made by the Deputy\nAssistant Secretary and the Director. Those changes are referenced in the\nManagement Comments section of the report.\n\n\n\n\n                                     11\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    Renumbered, Revised and Added Recommendation. As a result of\n    management comments, we revised the recommendation to include the Defense\n    Privacy Office to recognize its role in ensuring privacy policy compliance. We\n    also added Recommendation 2. to correct the DoD policy concerning the use of\n    persistent cookies.\n\n    1. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications and Intelligence), in consultation with the Defense\n    Privacy Office, require the DoD Components to report on what they have\n    done to:\n\n          a. Distribute DoD privacy and data collection policy to their web\n    masters.\n\n            b. Provide their web masters with instructions to identify data\n    collection devices.\n\n           c. Eliminate third-party cookies and other data collection devices.\n\n          d. Post privacy notices at major entry points to a site and at sites\n    where substantial personal information is collected from the public.\n\n           e. Hold web masters accountable for compliance with DoD and\n    Office of Management and Budget policy on a continuing basis.\n\n    2. We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications and Intelligence) revise the DoD Web Site\n    Administration Policy to clearly show that the policy on the use of persistent\n    cookies applies to non-user-identifying information and user-identifying\n    information.\n\n    Management Comments. The Deputy Assistant Secretary of Defense (Security\n    and Information Operations), responding for the Assistant Secretary of Defense\n    (Command, Control, Communications and Intelligence), partially agreed with\n    the recommendation. He set an August 31, 2001, date for DoD Components to\n    complete actions to implement the recommendations. The Director, Defense\n    Privacy Office, stated that the recommendation should be revised to include the\n    Defense Privacy Office because it has a role in ensuring that the DoD\n    Components comply with privacy policy.\n\n    Audit Response. The Deputy Assistant Secretary comments were responsive to\n    Recommendation 1. We also ask for comments on Recommendation 2. that was\n    added.\n\n\n\n\n                                      12\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    Audit Type, Dates and Standards. We performed this economy and efficiency\n    audit from December 2000 through May 2001, in accordance with auditing\n    standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD. We judgmentally selected 400\n    DoD agencies, the Office of the Secretary of Defense, and Service web sites\n    registered in the Government Information Locator Service. We relied on\n    computer-processed data from the Government Information Locator Service\n    without performing tests of system general and application controls to confirm\n    the reliability of the database. However, not establishing the reliability of the\n    database will not affect the results of our audit. We relied on judgmental\n    sampling procedures to develop conclusions on this audit.\n\n    We reviewed and evaluated web sites of the Army, Navy, Air Force, Marine\n    Corps, and other DoD agencies. We compared those sites to OMB and DoD\n    policies on privacy, specifically on collecting, creating, reviewing, and sharing\n    with third parties, personally identifiable information about individuals and their\n    access and viewing habits at Government and nongovernment sites.\n\n    We used Microsoft Internet Explorer to assist us in identifying and validating\n    cookies, and used a software program \xe2\x80\x9cBugnosis Beta 5,\xe2\x80\x9d provided to us by the\n    Privacy Foundation to assist us in identifying web bugs. We conducted\n    discussions with DoD Components and the Services to evaluate whether web\n    site administrators were aware of the DoD and OMB policies on personal\n    information. We attempted to determine what information was being collected,\n    why it was being collected, how it was stored, and whether personal information\n    was sold or provided to any party outside the Government for any purpose. For\n    the most part, where we identified a collection device, we could not determine\n    what was being collected or whether it was sold or given away to any party.\n    Because many of the web masters we contacted were unaware of the collection\n    device, we could not in many cases, determine how it was stored and why it was\n    collected. We did not evaluate the management control program as it related to\n    the overall objectives due to the narrow time frame provided by Congress to\n    issue a report.\n\n    Use of Technical Assistance. The Technical Assessment Division, Audit\n    Followup and Technical Support Directorate, Quantitative Methods Division,\n    and the Information Systems Directorate, Office of the Inspector General,\n    provided expertise in identifying web bugs. The Technical Assessment Division\n    reviewed cookies and other means used to obtain personal information. The\n    Quantitative Methods Division assisted in the judgmental selection of our\n    sample. The Information Systems Directorate reviewed source code and other\n    information at each site where we received a numerical rating of 1 or greater\n    and concluded that there were 7 web bugs.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n                                         13\n\x0c      General Accounting Office High-Risk Area and Corporate-Level Goals. The\n      General Accounting Office lists information assurance as a high-risk area.\n      Although the Secretary of Defense annually establishes DoD-wide corporate-\n      level goals and performance measures to address the requirements of the\n      Government Performance and Results Act, the Act does not currently provide\n      corporate-level goals for information assurance.\n\nPrior Audit Coverage\nGeneral Accounting Office\n\n      During the last 5 years, GAO issued two reports on the subject of Internet\n      privacy.\n\n      GAO Report No. GAO-01-147R \xe2\x80\x9cInternet Privacy: Federal Agency Use of\n      Cookies,\xe2\x80\x9d October 20, 2000\n\n      GAO Report No. GAO/AIMD-00-296R, \xe2\x80\x9cInternet Privacy: Comparison of\n      Federal Agency Practices With FTC' Fair Information Principles,\xe2\x80\x9d\n      September 11, 2000\n\n\n\n\n                                         14\n\x0cAppendix B. Revision to DoD Web Site\n            Administration Policy\n\n\n\n\n`\n\n\n\n\n                 15\n\x0c16\n\x0c17\n\x0c18\n\x0c19\n\x0c20\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\nDeputy Chief Financial Officer\nDeputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and\n   Intelligence)\nDirector, Administration and Management\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDefense, Finance and Accounting Service\nDirector, Defense Logistics Agency\nDirector, Defense Information Systems Agency\nWashington Headquarters Service\n   Director, Defense Privacy Office\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Subcommittee on Treasury and General Government, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Subcommittee on Treasury, Postal Service and General Government, Committee on\n  Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on Government\n  Reform\n\n\n\n\n                                           22\n\x0cOffice of the Assistant Secretary of Defense\n(Command, Control, Communications and\nIntelligence) Comments\n\n\n\n\n                    23\n\x0c24\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n     Revised\n\n\n\n\n25\n\x0c               Defense Privacy Office Comments\nFinal Report\nReference\n\n\n\n\nRevised\n\n\n\n\n                               26\n\x0c     Final Report\n     Reference\n\n\n\n\n     Add page 2\n\n\n\n\n     Revised\n\n\n\n\n     Revised\n\n\n\n\n27\n\x0cFinal Report\nReference\n\n\n\n\nRevised\n\n\n\n\nRevised\n\n\n\n\n               28\n\x0c     Final Report\n     Reference\n\n\n\n\n     Revised\n\n\n\n\n     Added\n\n\n\n\n     Added\n\n\n\n\n29\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary Ugone\nRaymond A. Spencer\nThomas S. Bartoszek\nLisa E. Novis\nThomas J. Hilliard\nThelma E. Jackson\nRudolf Noordhuizen\nGary B. Dutton\nChanda D. Lee\nSarah L. Brownwell\nTrisha L. Staley\nStacey L. Kreinbrook\nMandi L. Markwart\nBrian K. Jacques\nJenshel D. Marshall\n\x0c"